Jump to first page
 -129
Key exchange and
Key rollover
nUpload your key to parent (first key exchange)
uprocedure is registry dependent
nKey rollover Task
uGenerate a new  key
uPublish new key in your zone file and sign with old and new key
uDonŐt forget to inform those resolvers that need you as a secure island ( trusted-keys configuration )
uTrigger the registry (push or pull)
uCheck availability of SIG over new DS record at parent
uRemove old key
Note:
To protect yourself from loss of external connectivity you want to configure your local resolvers with the key of your zone. There are as  yet no tools to auto configure resolvers with new keys during scheduled key rollover.

This might make corporate resolver reconfiguration one of the more complicated steps in key rollovers.

Even when you do not roll over your keys regularly you should still audit the setup once in a while and/or practice the key rollover. You need to be familiar with the procedures in case of an unscheduled emergency rollover.